maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/windows-hardening/active-directory-methodology/adws-enu

Browse Source
This commit is contained in:
Translator 2025-07-28 12:13:22 +00:00
parent 3ff2ee443b
commit ac3d7f7f6d
3 changed files with 155 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -260,6 +260,7 @@
- [Ad Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
- [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
- [AD DNS Records](windows-hardening/active-directory-methodology/ad-dns-records.md)
- [Adws Enumeration](windows-hardening/active-directory-methodology/adws-enumeration.md)
- [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
- [BloodHound & Other AD Enum Tools](windows-hardening/active-directory-methodology/bloodhound.md)
- [Constrained Delegation](windows-hardening/active-directory-methodology/constrained-delegation.md)

106
src/windows-hardening/active-directory-methodology/adws-enumeration.md Normal file
View File

@ -0,0 +1,106 @@
# Active Directory Web Services (ADWS) Enumeration & Stealth Collection
{{#include ../../banners/hacktricks-training.md}}
## What is ADWS?
Active Directory Web Services (ADWS) **imewezeshwa kwa default kwenye kila Domain Controller tangu Windows Server 2008 R2** na inasikiliza kwenye TCP **9389**. Licha ya jina, **hakuna HTTP inayohusika**. Badala yake, huduma hii inaonyesha data ya mtindo wa LDAP kupitia seti ya protokali za umiliki za .NET:
* MC-NBFX → MC-NBFSE → MS-NNS → MC-NMF
Kwa sababu trafiki imefungwa ndani ya hizi binary SOAP frames na inasafiri kupitia bandari isiyo ya kawaida, **kuhesabu kupitia ADWS kuna uwezekano mdogo wa kukaguliwa, kuchujwa au kusainiwa kuliko trafiki ya kawaida ya LDAP/389 & 636**. Kwa waendeshaji hii inamaanisha:
* Utafiti wa siri Timu za buluu mara nyingi hujikita kwenye maswali ya LDAP.
* Uhuru wa kukusanya kutoka **kwa mwenyeji asiye wa Windows (Linux, macOS)** kwa kutoboa 9389/TCP kupitia SOCKS proxy.
* Data sawa ambayo ungeweza kupata kupitia LDAP (watumiaji, vikundi, ACLs, muundo, nk.) na uwezo wa kufanya **kuandika** (mfano `msDs-AllowedToActOnBehalfOfOtherIdentity` kwa **RBCD**).
> NOTE: ADWS pia inatumika na zana nyingi za RSAT GUI/PowerShell, hivyo trafiki inaweza kuchanganyika na shughuli halali za admin.
## SoaPy Native Python Client
[SoaPy](https://github.com/logangoins/soapy) ni **utekelezaji kamili wa protokali ya ADWS katika Python safi**. Inaunda NBFX/NBFSE/NNS/NMF frames byte kwa byte, ikiruhusu ukusanyaji kutoka kwa mifumo kama Unix bila kugusa .NET runtime.
### Key Features
* Inasaidia **proxying kupitia SOCKS** (inayofaa kutoka kwa C2 implants).
* Filters za utafutaji zenye undani sawa na LDAP `-q '(objectClass=user)'`.
* Operesheni za hiari za **kuandika** ( `--set` / `--delete` ).
* **BOFHound output mode** kwa ajili ya uingizaji wa moja kwa moja katika BloodHound.
* `--parse` flag ili kuboresha alama za muda / `userAccountControl` wakati usomaji wa kibinadamu unahitajika.
### Installation (operator host)
```bash
python3 -m pip install soapy-adws # or git clone && pip install -r requirements.txt
```
## Stealth AD Collection Workflow
The following workflow shows how to enumerate **domain & ADCS objects** over ADWS, convert them to BloodHound JSON and hunt for certificate-based attack paths all from Linux:
1. **Tunnel 9389/TCP** kutoka kwenye mtandao wa lengo hadi kwenye sanduku lako (kwa mfano kupitia Chisel, Meterpreter, SSH dynamic port-forward, n.k.). Export `export HTTPS_PROXY=socks5://127.0.0.1:1080` au tumia SoaPys `--proxyHost/--proxyPort`.
2. **Kusanya kitu cha msingi cha domain:**
```bash
soapy ludus.domain/jdoe:'P@ssw0rd'@10.2.10.10 \
-q '(objectClass=domain)' \
| tee data/domain.log
```
3. **Kusanya vitu vinavyohusiana na ADCS kutoka kwa Configuration NC:**
```bash
soapy ludus.domain/jdoe:'P@ssw0rd'@10.2.10.10 \
-dn 'CN=Configuration,DC=ludus,DC=domain' \
-q '(|(objectClass=pkiCertificateTemplate)(objectClass=CertificationAuthority) \\
(objectClass=pkiEnrollmentService)(objectClass=msPKI-Enterprise-Oid))' \
| tee data/adcs.log
```
4. **Badilisha kuwa BloodHound:**
```bash
bofhound -i data --zip # produces BloodHound.zip
```
5. **Pakia ZIP** kwenye GUI ya BloodHound na uendeshe maswali ya cypher kama `MATCH (u:User)-[:Can_Enroll*1..]->(c:CertTemplate) RETURN u,c` ili kufichua njia za kupandisha cheo za cheti (ESC1, ESC8, n.k.).
### Kuandika `msDs-AllowedToActOnBehalfOfOtherIdentity` (RBCD)
```bash
soapy ludus.domain/jdoe:'P@ssw0rd'@dc.ludus.domain \
--set 'CN=Victim,OU=Servers,DC=ludus,DC=domain' \
msDs-AllowedToActOnBehalfOfOtherIdentity 'B:32:01....'
```
Patanisha hii na `s4u2proxy`/`Rubeus /getticket` kwa mnyororo kamili wa **Resource-Based Constrained Delegation**.
## Ugunduzi & Uimarishaji
### Kurekodi kwa Kina ADDS
wezesha funguo zifuatazo za rejista kwenye Watawala wa Kikoa ili kuonyesha utafutaji ghali / usio na ufanisi unaotoka kwenye ADWS (na LDAP):
```powershell
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value 5 -Type DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold' -Value 1 -Type DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)' -Value 0 -Type DWORD
```
Mifano itatokea chini ya **Directory-Service** na kichujio kamili cha LDAP, hata wakati ombi lilifika kupitia ADWS.
### SACL Canary Objects
1. Unda kitu cha dummy (mfano, mtumiaji aliyezuiliwa `CanaryUser`).
2. Ongeza **Audit** ACE kwa _Everyone_ principal, iliyokaguliwa kwenye **ReadProperty**.
3. Wakati mshambuliaji anapofanya `(servicePrincipalName=*)`, `(objectClass=user)` nk, DC inatoa **Event 4662** ambayo ina SID halisi ya mtumiaji hata wakati ombi linapokuwa na proxy au linatoka ADWS.
Mfano wa sheria iliyojengwa awali ya Elastic:
```kql
(event.code:4662 and not user.id:"S-1-5-18") and winlog.event_data.AccessMask:"0x10"
```
## Muhtasari wa Zana
| Kusudi | Zana | Maelezo |
|--------|------|---------|
| ADWS enumeration | [SoaPy](https://github.com/logangoins/soapy) | Python, SOCKS, kusoma/kandika |
| BloodHound ingest | [BOFHound](https://github.com/bohops/BOFHound) | Hubadilisha SoaPy/ldapsearch logs |
| Uthibitisho wa cheti | [Certipy](https://github.com/ly4k/Certipy) | Inaweza kupitishwa kupitia SOCKS sawa |
## Marejeleo
* [SpecterOps Hakikisha Kutumia SOAP(y) Mwongozo wa Wafanya Kazi kwa Kukusanya AD kwa Siri kwa Kutumia ADWS](https://specterops.io/blog/2025/07/25/make-sure-to-use-soapy-an-operators-guide-to-stealthy-ad-collection-using-adws/)
* [SoaPy GitHub](https://github.com/logangoins/soapy)
* [BOFHound GitHub](https://github.com/bohops/BOFHound)
* [Microsoft MC-NBFX, MC-NBFSE, MS-NNS, MC-NMF specifications](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nbfx/)
{{#include ../../banners/hacktricks-training.md}}

105
src/windows-hardening/active-directory-methodology/bloodhound.md
View File

@ -1,87 +1,78 @@
# BloodHound & Other AD Enum Tools
# BloodHound & Other Active Directory Enumeration Tools
{{#include ../../banners/hacktricks-training.md}}
{{#ref}}
adws-enumeration.md
{{#endref}}
> KUMBUKA: Ukurasa huu unakusanya baadhi ya zana muhimu zaidi za **kuorodhesha** na **kuonyesha** uhusiano wa Active Directory. Kwa ukusanyaji kupitia njia ya siri ya **Active Directory Web Services (ADWS)** angalia rejea hapo juu.
---
## AD Explorer
[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) ni kutoka Sysinternal Suite:
[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) (Sysinternals) ni mtazamaji wa **AD** wa hali ya juu na mhariri ambao unaruhusu:
> Mtazamaji na mhariri wa hali ya juu wa Active Directory (AD). Unaweza kutumia AD Explorer kuvinjari hifadhidata ya AD kwa urahisi, kufafanua maeneo unayopenda, kuangalia mali za vitu, na sifa bila kufungua masanduku ya mazungumzo, kuhariri ruhusa, kuangalia muundo wa kitu, na kutekeleza utafutaji wa hali ya juu ambao unaweza kuokoa na kurudi kutekeleza.
* Kuangalia mti wa directory kwa GUI
* Kuedit mwelekeo wa vitu na maelezo ya usalama
* Uundaji wa picha za wakati / kulinganisha kwa uchambuzi wa mbali
### Snapshots
### Matumizi ya haraka
AD Explorer inaweza kuunda snapshots za AD ili uweze kuangalia mtandaoni.\
Inaweza kutumika kugundua vulns mtandaoni, au kulinganisha hali tofauti za hifadhidata ya AD kwa muda.
1. Anza zana na uungane na `dc01.corp.local` kwa akidi yoyote ya domain.
2. Unda picha ya mbali kupitia `File ➜ Create Snapshot`.
3. Linganisha picha mbili kwa `File ➜ Compare` ili kugundua mabadiliko ya ruhusa.
Utahitaji jina la mtumiaji, nenosiri, na mwelekeo wa kuungana (mtumiaji yeyote wa AD anahitajika).
Ili kuchukua snapshot ya AD, nenda kwenye `File` --> `Create Snapshot` na ingiza jina la snapshot.
---
## ADRecon
[**ADRecon**](https://github.com/adrecon/ADRecon) ni chombo ambacho kinatoa na kuunganisha vitu mbalimbali kutoka katika mazingira ya AD. Taarifa zinaweza kuwasilishwa katika **ripoti** ya Microsoft Excel **iliyoundwa kwa njia maalum** ambayo inajumuisha muonekano wa muhtasari na vipimo ili kuwezesha uchambuzi na kutoa picha kamili ya hali ya sasa ya mazingira ya AD ya lengo.
```bash
# Run it
.\ADRecon.ps1
[ADRecon](https://github.com/adrecon/ADRecon) inatoa seti kubwa ya vitu kutoka kwa domain (ACLs, GPOs, imani, templeti za CA …) na inazalisha **ripoti ya Excel**.
```powershell
# On a Windows host in the domain
PS C:\> .\ADRecon.ps1 -OutputDir C:\Temp\ADRecon
```
## BloodHound
---
From [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
## BloodHound (kuonyesha grafu)
> BloodHound ni programu ya wavuti ya Javascript ya ukurasa mmoja, iliyojengwa juu ya [Linkurious](http://linkurio.us/), iliyokusanywa na [Electron](http://electron.atom.io/), ikiwa na hifadhidata ya [Neo4j](https://neo4j.com/) inayopatiwa na mkusanyiko wa data wa C#.
[BloodHound](https://github.com/BloodHoundAD/BloodHound) inatumia nadharia ya grafu + Neo4j kufichua uhusiano wa mamlaka yaliyofichika ndani ya AD ya ndani na Azure AD.
BloodHound inatumia nadharia ya grafu kufichua uhusiano wa siri na mara nyingi usiokusudiwa ndani ya mazingira ya Active Directory au Azure. Washambuliaji wanaweza kutumia BloodHound kutambua kwa urahisi njia za shambulio zenye ugumu mkubwa ambazo vinginevyo zingekuwa ngumu kutambua haraka. Walinzi wanaweza kutumia BloodHound kutambua na kuondoa njia hizo za shambulio. Timu za buluu na nyekundu zinaweza kutumia BloodHound kupata uelewa mzuri zaidi wa uhusiano wa mamlaka katika mazingira ya Active Directory au Azure.
Hivyo, [Bloodhound ](https://github.com/BloodHoundAD/BloodHound) ni chombo cha ajabu ambacho kinaweza kuhesabu kikoa kiotomatiki, kuhifadhi taarifa zote, kutafuta njia zinazowezekana za kupandisha mamlaka na kuonyesha taarifa zote kwa kutumia grafu.
Booldhound inajumuisha sehemu 2 kuu: **ingestors** na **programu ya uonyeshaji**.
**Ingestors** zinatumika ku **hesabu kikoa na kutoa taarifa zote** katika muundo ambao programu ya uonyeshaji itaelewa.
**Programu ya uonyeshaji inatumia neo4j** kuonyesha jinsi taarifa zote zinavyohusiana na kuonyesha njia tofauti za kupandisha mamlaka katika kikoa.
### Installation
Baada ya kuundwa kwa BloodHound CE, mradi mzima ulisasishwa kwa urahisi wa matumizi na Docker. Njia rahisi ya kuanza ni kutumia usanidi wa Docker Compose ulioandaliwa mapema.
1. Sakinisha Docker Compose. Hii inapaswa kujumuishwa na usakinishaji wa [Docker Desktop](https://www.docker.com/products/docker-desktop/).
2. Kimbia:
### Usanidi (Docker CE)
```bash
curl -L https://ghst.ly/getbhce | docker compose -f - up
# Web UI ➜ http://localhost:8080 (user: admin / password from logs)
```
3. Pata nenosiri lililotengenezwa kwa bahati katika matokeo ya terminal ya Docker Compose.
4. Katika kivinjari, tembelea http://localhost:8080/ui/login. Ingia kwa kutumia jina la mtumiaji **`admin`** na **`nenosiri lililotengenezwa kwa bahati`** ambalo unaweza kupata katika kumbukumbu za docker compose.
### Wakusanyaji
Baada ya hii, utahitaji kubadilisha nenosiri lililotengenezwa kwa bahati na utakuwa na kiolesura kipya kilichotayarishwa, ambacho unaweza kupakua ingestors moja kwa moja.
* `SharpHound.exe` / `Invoke-BloodHound` toleo la asili au PowerShell
* `AzureHound` uainishaji wa Azure AD
* **SoaPy + BOFHound** ukusanyaji wa ADWS (angalia kiungo kilichopo juu)
### SharpHound
#### Njia za kawaida za SharpHound
```powershell
SharpHound.exe --CollectionMethods All # Full sweep (noisy)
SharpHound.exe --CollectionMethods Group,LocalAdmin,Session,Trusts,ACL
SharpHound.exe --Stealth --LDAP # Low noise LDAP only
```
Wakusanyaji wanazalisha JSON ambayo inachukuliwa kupitia GUI ya BloodHound.
Wana chaguzi kadhaa lakini ikiwa unataka kuendesha SharpHound kutoka kwa PC iliyojiunga na eneo, ukitumia mtumiaji wako wa sasa na kutoa taarifa zote unaweza kufanya:
```
./SharpHound.exe --CollectionMethods All
Invoke-BloodHound -CollectionMethod All
```
> Unaweza kusoma zaidi kuhusu **CollectionMethod** na kikao cha loop [hapa](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481375424795-All-SharpHound-Community-Edition-Flags-Explained)
Ikiwa unataka kutekeleza SharpHound ukitumia akreditif tofauti unaweza kuunda kikao cha CMD netonly na kuendesha SharpHound kutoka hapo:
```
runas /netonly /user:domain\user "powershell.exe -exec bypass"
```
[**Jifunze zaidi kuhusu Bloodhound katika ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)
---
## Group3r
[**Group3r**](https://github.com/Group3r/Group3r) ni chombo cha kutafuta **vulnerabilities** katika Active Directory zinazohusiana na **Group Policy**. \
Unahitaji **kufanya kazi group3r** kutoka kwa mwenyeji ndani ya eneo la kikoa ukitumia **mtumiaji yeyote wa kikoa**.
[Group3r](https://github.com/Group3r/Group3r) inataja **Group Policy Objects** na kuonyesha makosa ya usanidi.
```bash
group3r.exe -f <filepath-name.log>
# -s sends results to stdin
# -f send results to file
# Execute inside the domain
Group3r.exe -f gpo.log # -s to stdout
```
---
## PingCastle
[**PingCastle**](https://www.pingcastle.com/documentation/) **inafanya tathmini ya usalama wa mazingira ya AD** na inatoa **ripoti** nzuri yenye grafu.
Ili kuikimbia, unaweza kutekeleza binary `PingCastle.exe` na itaanzisha **sehemu ya maingiliano** ikionyesha menyu ya chaguzi. Chaguo la msingi kutumia ni **`healthcheck`** ambalo litaanzisha **muonekano** wa **kanda**, na kutafuta **mipangilio isiyo sahihi** na **udhaifu**.
[PingCastle](https://www.pingcastle.com/documentation/) inatekeleza **uchunguzi wa afya** wa Active Directory na inaunda ripoti ya HTML yenye alama za hatari.
```powershell
PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"
```
{{#include ../../banners/hacktricks-training.md}}